State audit red flags Millbrook Central School District’s IT Dept.

MILLBROOK — The Millbrook Central School District (MCSD) was called out by the New York State Comptroller’s Office during a recent audit for several red flags found during the review. It was the result of  an Information Technology (IT) audit released on Aug. 20; the objective was to determine if officials at the MCSD established adequate controls over user accounts in order to prevent unauthorized access, use and loss. 

According to Comptroller Thomas DiNapoli, they did not have adequate controls over user accounts, did not prevent unauthorized access, use or loss and did not periodically review and disable unneeded network user accounts. Additionally, the audit found that the MCSD did not develop a breach notification policy as mandated by New York State law. 

“When we heard they were going to audit us, we looked at it as a good thing,” said President of the Millbrook Board of Education (BOE) Perry Hartswick. “With so many technical challenges from COVID, any extra eyes were a good thing. What they found were important issues, but simple.”

The audit, which was conducted from July 1, 2019 through Nov. 8, 2020, showed the accounts of 46 students no longer enrolled in the district were active, as were the accounts of 13 employees who left their jobs and did not have their accounts disabled from the years 2013-2018. Nine generic accounts were also not disabled for the years 2015-2018.

According to the review, “the user accounts provided access to the district’s network and should have been actively managed to minimize the risk of misuse.” If not, it warned, those accounts could be “potential entry points for attackers to inappropriately access and view Personal, Private or Sensitive Information (PPSI) on the network.” 

The state also advised that districts should have “written procedures in place for granting, changing and revoking user permissions to the network; also, to minimize the risk of unauthorized access, district officials should regularly review enabled network user accounts to ensure they are still needed. Officials must disable unnecessary or unneeded accounts promptly, including user accounts of former employees.”

Recommendations made were for the district “to develop written procedures to manage system access, which will include a periodic review of user access and disabling user accounts when access is no longer needed.” DiNapoli also recommended the development of a breach notification policy.

The MCSD serves not only the village of Millbrook, but the towns of Washington, Union Vale, Clinton, LaGrange, Stanford and Pleasant Valley. Its Board of Education has seven elected board members. 

Superintendent of Schools Laura Mitchell, who began her position in January 2020, did not return multiple requests for an interview but did respond to the audit report on the district’s website, www.millbrookcsd.org. 

“The district is in agreement with these recommendations and is in the process of developing policies and procedures accordingly,” stated Mitchell. “Specifically, the district has already implemented a protocol for regular verification of student enrollment for the specific purposes of maintaining, creating or deactivating students accounts.” 

The district has 944 students and 350 employees, with network user accounts totaling 1,325.

“A parallel process is being developed for staff accounts,” added the superintendent. “The district will also continue working with our local BOCES and cyber security support partners to create an appropriate breach notification policy.”

Some residents took to Facebook to comment on the report, in less than flattering terms. 

“They keep getting money given to that department and the meetings are harder to watch now than when they were on Zoom. The camera and microphone that they have implemented is terrible.” 

Another comment simply said the report was “shocking.”

The MCSD has touted its technology department throughout the years, starting in 2004 through 2007 and again from 2016 through 2019. In April 2020, Elliott Garcia was hired as director of Technology and Data Services. 

Since then the district said it has been making great strides to update both its equipment and its IT practices to protect student and staff accounts. 

Hartswick said that since Garcia was hired he has “devised a plan and executed it, resolving the issues pointed out” in the state audit.